CVE-2025-2874: 
WordPress vulnerability analysis and mitigation

CVE-2025-2874 affects the User Submitted Posts WordPress plugin (versions up to and including 20240319) and involves a Stored Cross-Site Scripting vulnerability via admin settings. The vulnerability was discovered and disclosed on April 3, 2025, and affects multi-site installations and installations where unfiltered_html has been disabled (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's admin settings. This security flaw allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject malicious web scripts that execute in users' browsers when they visit affected pages. This could potentially lead to session hijacking, credential theft, or other client-side attacks (NVD CVE).

The vulnerability has been addressed in version 20250327 of the User Submitted Posts plugin, which improves sanitization of the custom checkbox field. Users are advised to update to this latest version to protect against potential exploitation (WordPress Plugin).